Evasion is always a goal of cybercriminals. They are not above misusing legitimate sites and services to hide malicious activities. One recent example would be BKDR_VERNOT.A, which tried to use Evernote to hide its activities. Another variant of this malware was recently spotted, but this variant uses a Japanese blogging platform as its command-and-control (C&C) server, in which it was able to log in successfully.

Network activity of BKDR_VERNOT.B

BKDR_VERNOT.B logs in and creates a draft where it uses the affected machine’s computer name as its title. It then adds the text “$_$Today is a very important day for me.$” and the date and time the malware was executed to the created draft.

It may use the drafts as a drop-off point of stolen information, as well as its C&C server where it gets its backdoor commands. Some of the stolen information includes the computer’s OS information, time zone, and user name.

After getting commands from the blog account, the malware may execute the following backdoor commands:

Download files

Execute files

Rename files

Extract archive files

For every backdoor command BKDR_VERNOT.B does, it reports back to the blog draft by editing it and adding the following strings:

file create failed– If file download fails

download file succeed – If file download succeeds

Run failed– If file execution fails

Run succeed – If file execution succeeds

Exe file not found – If file to be executed is not found

Unzip failed – If extracting archive file fails

Unzip succeed – If extracting archive file succeeds

Unzip file not found – If archive file is not found

rename file failed – If renaming file fails

rename file succeed – If renaming file succeeds

src file not found – If file to be renamed is not found

Using sites like the Japanese blogging platform generates network traffic that may not be easily detected as malicious. Evernote, Google Docs, and Sendspace are examples of legitimate sites that have been misused by cybercriminals to store information and communicate with remote servers. These examples show that popular sites can become not only targets, but also tools of cybercriminals.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Share this article

This entry was posted
on
Tuesday, April 23rd, 2013
at
12:06 pm and is filed under
Malware .
Both comments and pings are currently closed.